Proceedings of the 2007 IEEE WeC4.3Intelligent Transportation Systems ConferenceSeattle, WA, USA, Sept. 30 - Oct. 3, 2007

Analysis of a Secure Software Upload Technique in AdvancedVehicles using Wireless Links

Irina Hossain, Student Member, IEEE, Syed Masud Mahmud, Member, IEEE

Abstract- Software modules of an advanced vehicle can be both consumers' and auto manufacturers' time and moneyupdated using Remote Software Upload (RSU) techniques. The [1].RSU employs infrastructure-based wireless communication When a particular vehicle experiences some problems withtechnique where the software supplier sends the software to the its functionality, then the software provider can establish atargeted vehicle via a roadside Base Station (BS). However, point-to-point communication link with the vehicle via asecurity is critically important in RSU to avoid any disasters roadside base station (BS) under which the vehicle residesdue to malfunctions of the vehicle or to protect the proprietary adside bae ne (Bs) undewi the vehicl idesalgorithms from hackers, competitors or people with malicious and sends the necessary software to the non-functioningintent. In this paper, we present a mechanism of secure nmodule. However transmittingsoftware packets over radiosoftware upload in an advanced vehicle. In order to increase channels makes eavesdropping, data altering, theft ofthe security level, we propose the vehicle to receive two copies service, and denial of service (DoS) attacks easier forof the software along with the Message Digest (MD) in each adversaries. Hence, additional security mechanisms arecopy. The vehicle will install the new software only when it needed to protect the communication over wireless network.receives two identical copies of the software. To validate our This paper presents a secure architecture for remoteproposition we find analytical expressions of average number software upload in a vehicle. The proposed techniqueof packet transmissions for successful software update. We authenticates software provider as well as the vehicle toinvestigate different cases depending on the vehicle's buffer sizeand verification methods. Our analytical and simulation results fwhich software needs to be uploaded, and provides integrityshow that it is sufficient to send two copies of software to the of the software being transmitted from vendor to vehicles. Invehicle to thwart any security attack while uploading the order to increase the security level of the proposedsoftware. mechanism we analyze different scenarios with regard toKey words advanced vehicle, authentication, vehicle's buffer size and software packet verification

security, software upload and wireless communication. methods using analytical and simulation models.The paper is organized as follows. Section II presents

I. INTRODUCTION background information about the technology used in this

XX[ITH the use of information and computer-based work and a brief review of past researches done, Section IIIvi' technologies, advanced electronic systems, sensing describes the Remote Software Upload (RSU) architecture

and intelligent algorithms, an advanced vehicle we proposed and its analytical modeling, Section IV..' . ............ . summarizes the results of analysis and simulation, andincorporates various advanced features, such as drive-by-

wire, telematics, pre-crash warning, remote diagnostics, Section V presents the conclusion.highway guidance, traffic alert etc. Introduction of newfeatures, improvement of existing features, updatingnavigation information etc. will require software update in Since wireless communication technologies providevehicle's electronic modules from time to time. On the other various advantages, such as portability, flexibility, lowerhand, evolution of wireless technologies has directly installation cost and increased efficiency, they are becomingbenefited the nation's transportation system. The automotive the communication infrastructure of choice in our everydayindustry and Intelligent Transportation System (ITS) use lives. Advances in wireless communication system havedifferent wireless technologies for different applications potential value for nation's transportation system. Usingincluding road safety, traffic management and driver Global Positioning System (GPS) and voice-activatedassistance. In the same way, software update in vehicle's cellular system, OnStar Corporation has successfullyelectronic modules could be benefited from using the deployed Advanced Automatic Crash Notification (AACN)wireless technology. Remote software upload, using wireless deloed AdvancedeAuto CrasNifictin (aan)' . ~~~system in modern vehicles to report accidents in reliable andcommunication links, will aid the update process by saving timely manner [2]. Auto manufacturers are exploring

Bluetooth technology for in-vehicle Wireless Personal AreaManuscript was received April 15, 2007.Irmna Hossain is with the Department of Electrical and Computer Network (WPAN) which will connect various on-board

Engineering, Wayne State University, Detroit, MI. Phone: 651-815-5828; devices such as cell phones, PDAs, laptops and GPSFax: 651-305-4549; e-mal:ihossaln:wyne.edu. transceiver [3].

Syed Masud Mahmud is with the Department of Electrical and Although wireless technologies offer the users withComputer Engineering, Wayne State University, Detroit, MI. Phone: 313- ..577-3855; Fax: 313-577-5845; e-mail: srahu d> e>n.dw ed. additional conveniences over the wired technologies, they

also introduce unique security challenges. Various threats

1-4244-1396-6/07/$25.OO ©r2007 IEEE. 1010

and vulnerabilities associated with wireless network and using a secure link such as SSL/TLS. Upon receiving thehand held devices are listed in [4]. Hence, additional message, the SV creates a SW updatejoin request messagemechanisms are needed to protect the security, i.e., integrity, that consists of a message ID, a Vehicle's ID (VID, could beauthenticity and confidentiality of communication over a part of its VIN number), a module ID to which thewireless networks. software needs to be updated, the version number of the

In previous, secure software update techniques in mobile software and a session key k. The SV digitally signs it,devices over IP network have been proposed [5-6]. Since encrypts the message and the signature using kv and sendssecurity protocols in WLAN and WWAN have security emflaws, they proposed both symmetric and it to the BS under which Vm is currently located. The BSasymmetric/public-key cryptographic techniques and the honestly relays the message to Vm. After receiving thecombination of two (symmetric and asymmetric). In order toincrease the security level, we propose the vehicle to upload SW updatejoin request message, Vm decrypts the messagetwo copies of the software and the message digest (MD) in using kJj verifies the signature and version number of theeach copy. Since the vehicle will not accept the software m

unless the packets in two copies match, there is no chance software and sends a join_acceptance message. Ifthat the vehicle will upload the software that is changed by authentication fails, the vehicle V. ignores the message.the hacker.

Softwaq=iIi111. THE SECURE SOFTWARE UPLOAD ARCHITECTURE SupplierThe detail description of Remote Software Upload (RSU) SI

technique in a vehicle using wireless communication link -~~~~Software Packet

was described in [1]. In our architecture, we assume that the-I wire link

Auto Company (AC) might have its own software-

,L ... High-speed wireddistribution center or it has agreement with a third party linkkSoftware Vendor (SV) to provide the required software.Each vehicle has its wireless unit installed in it tocommunicate with each other as well as with the BSs. The _AC, the SV and BSs are connected through high-speedwired/wireless networks, whereas the vehicles that travelbiret/wirelenscell ors,canhcomcate wthe uerily tnetwrk Fig 1. Remote Software Distribution Network using Wireless Linkbetween cells, can communicate with underlying networkvia BSs using long-range wireless communication links, e.g., B. Sending the Software Packetscellular or Wi-Fi links. The BS, under which the targeted After successful authentication of both the vehicle and thevehicle resides, receives software packets from the SV using SV, the SV starts sending the software packets encryptedsecure communication technique such as SSL/TLS and with the session key k. The SV can use this key to create atransmits the packets to the targeted vehicle through secure MAC (Message Authentication Code) value of eachwireless link (Fig. 1). software packet and send it along with the packet. The

vehicle verifies the authenticity of the packet by checkingA. Authentication and Key Agreement Process the MAC, and the integrity of the packet by comparing theWhile a wireless device is installed in a vehicle Vm, a set hash value of the received packet and the one contained in

Xn

the MAC. Since both parties share the same secret key,authentication keys kv ,k/ )is provided to it. anyone who has the key could generate the MAC, thus it

does not guarantee non-repudiation in case of disputeEach key is used to authenticate V. at each softwaredosntganeeo-rpitonncsefdsueEach ke susdtutetcteaahsotaebetween the SV and the vehicle. Moreover, if an intruderdistribution session. A copy of these keys will also be kept could successfully change both the packet and the MACin a secure Central Server (CS) which is maintained by the value then there is no way that the vehicle could verify theAC or any trusted party. The key management process for software. A better solution for software upload wasvehicle's authentication key was described in [1]. The AC or proposed in [1] where it was suggested that the vehicleany other Certification Authority (CA) issues Digital receives two copies of the software along with the MessageCertificates to the SV and all BSs which contain their Digest (MD) in each copy. If some packets of the first copyauthentic public-keys. We assume that all the vehicles and do not match with the corresponding packets in the secondthe BSs have a copy of the SV's authentic public key and copy, the vehicle requests to send the unmatched packets.the BSs have each others public key. After receiving both the copies along with the MDs, theWhen the AC decides to upload software to a vehicle V., vehicle calculates an MD based on the received software

and compares it with the received MD. The vehicle acceptsit sends an unused authentication key kv and the module the software only when the calculated MD and received MDnumber to which software needs to be uploaded to the SV match. Fig. 2 shows the flow diagram of the technique. In

the next section we present several ways how the vehicle

1011

one segment or total software successfullyiProbability of success in ith trial

Vehicle receives two copies of Pisoftware with Din each copyN1 Average number of packet transmission to

I receive one good packetN Average number of packet transmission for

Vehicle decrypts both copiessuccessful software upload

2) DefinitionsFig. 3 shows different software upload techniques that we

Are the Yes Vehicle computes | consider in our analysis.\same? / MD foreachcopy a) Single-copy Software Upload

If there is only one buffer in vehicle's software module to0No No / \ accept the new software and one copy of the software

Vehicle starts pair-wise packe Received MD packets is sent appended with the MD then it is calledcomparison between two copies, - Computed Single-copy Software Upload.requests retransmission of \ MD? /Softwareunmatched packets until twco\ Uploadcopies match using one of thetechniques mentioned here Yes

Vehicle computes MDVehicle accepts the

Single-copy Segmented Multiple-copyV e c e MswAr Software Single-copy Software Upload

Upload SoftwareT T ~~~~~~~~~~Yes | UploadllI/ eivedM D Yes

Computed ~~~~~~~~~~~~~~~FiniteBuffer InfiniteMD? ~~~~~~~~~~~~~~~Case Buffer CaseX MD.99~~~~~~~ie< MD|

/ ><=~10Computed >

Finite Buffer Finite Buffer Finite buffer withVehicle requests with Pair with Random Consecutive Goodretransmission ofMD No Transmission Packet Delete Packets

Vehicle rej ectsFig 3. Different Software Upload Technique

Ithe software

Fig. 2. Two-copy Software Upload Technique b) Segmented Single-copy Software UploadIf the software packets are divided into segments of

receives two copies of the software and find analytical certain number of packets and each segment is sent with theexpressions for average number of packet transmissions (N) MD then it is called the Segmented Single-copy Softwarefor successful software reception in each case. In order to do Upload.the comparison, we also present the expression of N forsingle- copy software upload technique. c) Multiple-copy Software Upload1) Notation If there are more than one buffer and multiple copies ofThe symbols and notations that will be used throughout the software packets are sent with the MD in each copy

the paper are presented in Table I. unless there is a match found then it is called the Multiple-copy Software Upload.

TABLE I NOTATIONS USED IN RSU TECHNIQUESymbol Significance d) Infinite Buffer Case

M Total number of software packets without MD If there are infinite number of buffers to accept multiplem Number of packets in a segment copies of a packet to compare a new copy of the packet with

M the packets already received until a match is found then it ism called the Infinite Buffer Case. This is the ideal case and not

p Packet error probability due to hacking practical, which requires minimum number of packetP pair Probability that a packet-pair do not match transmissions for a successful software upload.

due to hackingPsoft Probability that the received software is inerror due to hackingT Average number of trial to send one packet or

1012

e) Finite Buffer Case divide M software packets into S segments with m packets inIf there are two buffers to accept two copies of a packet each segment. Then the average number of trials required

sending one segment successfully isand one or both of the packets are replaced by the new 1 (4)packets transmitted until the vehicle receives a good packet (I _)m+i(4then it is called the Finite buffer Case. Average number of packet transmission needed for

fi Finite Buffer with Pair Transmission successful upload of S segments is

If a packet-pair do not match then the vehicle could delete N = (m + I)ST (m + sboth packets and request to send another pair until a (I- P)m+(matched pair is found. This case is defined as the Finite 5) Multiple-copy Software Upload -Infinite Buffer CaseBuffer with Pair Transmission. For each software packet, the vehicle first receives two

copies of the packet. If the packets do not match, it requestsg) Finite Buffer with Random Packet Delete to send another copy of the packet. The third copy is

If a packet-pair do not match then the vehicle could delete compared with the previous two. If no match is found itone randomly chosen packet and request to send another requests for another copy. Since there is infinite number ofpacket until a matched pair is found. This case is defined as buffers, after receiving ith packet it compares the packetthe Finite Buffer with Random Packet Delete. with previous i -1 packets. The process continues until a

matched-pair is found.h) Finite Buffer with Two Consecutive Good Packets The probability that a packet is received successfully in

If a packet-pair do not match then the vehicle always the ith trial isdeletes the older packet and requests to send another packet (until a matched pair is found. This case is defined as the Pi Jip-1 -J) ,i=1,2,3 .0 (6)Finite Buffer with Two Consecutive Good Packets. The average number of packet transmission for successful

upload of one packet is3) Single-copy Software Upload °° 2

After receiving all the encrypted software packets and the Np = (i + l)p= (7)MD, the receiving vehicle decrypts the packets, calculates i= -Pan MD and compares it with the received MD. If both theMDs match, then the vehicle accepts the software. The average number of packet transmission for successfulOtherwise, it requests the supplier to retransmit the entire software upload issoftware. In this method, if a hacker changes at least one N = (M + )NP = 2(M + 1) (8)software packet, then the calculated MD will differ from the P i-preceived MD. Since the vehicle or the supplier does not 6) Finite Buffer with Pair Transmissionknow which packet has been changed, the supplier needs to In this case, if both the copies of a packet do not match,retransmit the entire software including the MD which the supplier will send another pair of packets.requires more network bandwidth. Moreover, if a hacker can The probability that a pair does not match issuccessfully change a packet from every transmission, it is 2not possible at all to upload the software successfully. Ppair = 1- (l - p)

For packet error probability p due to hacking, the The average number of trials to send one packet successfullyprobability that the software is in error is: is

Psft=O (l -) +I (1) T0Zi(1p)2(1(1p)2Ji =E(l-Ppair)Ppjir

The average number of trials required to send the software i i=successfully is 1 1

T =(1-P50fi)ilP.50t = 1 = 1-P50ti (2) ]-Ppair (1-P) (10)i=1

The average number of packets transmission for successful The average number of packet transmissions for successfulsoftware upload is software upload is

N=(AlM+1)T= M+1 (3) N=2(M+1)T=-(M) (11)(Il-p) + (Il-p)2

4) Segmented Single-copy Software Upload 7) Finite Buffer with Two Consecutive Good PacketsIn case of Single-copy Transmission, if the number of When the two received copies of a packet do not match,

software packets M increases, the average number of packet the vehicle replaces the first copy in buffer 1 with the secondtransmission for successful software upload increases copy in buffer 2, requests to send another copy and places inexponentially (1). An alternative approach could be to buffer 2. The average number of packet transmissions for

1013

successful upload of one packet is The average number of x 4 Single-copy Transmissionpacket transmissions for successful upload of one packet is ;22.5

00 ~ 2-pNp =Ey(i+jr= f 2 (12)

j=1 ~~~~~~~~~~~~~~~~2-Then the average number of packet transmissions forsuccessful software upload is M = 1024, Simulation

N-= (M+1)N = f(M+ IX2 -p) ' M = 1024, Analytical(1-pP(\2 M =512, Simulation

+ M =512, Analytical01

IV. SIMULATION RESULTS

We now present simulation results to validate the A).5analytical expressions developed for different softwareupload Techniques. For a particular packet error probability ---_-----_ _-----_----_--p due to hacking, we generated a uniformly distributed 1 -6 1 -5 1 1- 10-random number using drand48( function in C++ with gcc Packet Error Probability (p)compiler. If the random number is less than p then the Fig. 4. Comparison of Analytical and Simulation results for Single-packet was considered as a bad packet and vise versa. copy Software Upload Technique

Fig. 4 and Table II show the resemblance between the Effect of Segmentationanalytical and simulation results for the average number of 3000 gpacket transmissions for the Single-copy and Multiple-copy = 2800software upload techniques, respectively. For the Single- °copy transmission, at higher p the average numbers of g 2600packet transmissions (N) for successful software upload i 2400 s= 1increases exponentially as the software size increases. 2 S4

2200 S=8However, if the software is sent in segmented form, it t S= 16reduces N considerably. Fig. 5 exemplifies the effect of , 2000segmentation for the software size with 1024 packets and o 1800different number of segments. The more the number of ,segments, the lesser is the number of packet transmissions 160necessary for successful software upload. Conversely, as the z 1400number of segments increases, it might take more time to >120encrypt, decrypt and transmit all the segments. Hence, there =should be a trade-off between number of segments and ¢1 10-6 10-5 10-4 1 o-3processing time. Packet Error Probability

The Two-copy software upload is always superior to the (p)Single-copy software upload as long as security is Fig. 5. Effect of segmentation on Single-copy Software Upload for M=concerned. Since the second copy will be transmitted after a 1024random time interval in a random packet order, it is very number of packet transmissions with respect to the idealunlikely that an intruder would know whether a second copy case where we have infinite number of buffers. In general,will be transmitted or not. Moreover, even if an intruder the hacking probability is very low. Thus, any of thechanges one packet of the first copy, it would be difficult for techniques could be used if there are one or more unmatchedhim to change the same packet in the second copy due to the packet pairs. In addition, N does not vary notably betweenrandomness of packet transmission. the two buffer case and the infinite buffer case. Addition of

Fig. 6 represents the average number of packet more buffers would not increase the performance oftransmissions (Np) to upload a single packet successfully in software upload remarkably. Consequently, we propose tothe multiple-copy software upload scenario. Unlike the use not more than two buffers in vehicle's software modulessingle-copy software upload, the total number of packet to upload two copies of software.transmissions necessary to upload the entire software is At lower p, single-copy software uploads requires fewerlinearly dependent on the software size (eq. (8), (11) and number of packet transmissions than the multiple-copy(13)). software uploads. However, the later technique offersFrom Fig. 6 it is also observed that for low values ofp, on additional security if the software packets are transmitted in

average only two packets need to be transmitted for any of random order and the second copy is transmitted after athe techniques we mentioned above. For a high value of p, random time interval with a very long average value.Finite Buffer with Random Packet Delete provides the least Hence, we recommend that initially the supplier should

send two copies of the software in the vehicle.

1014

TABLE II. COMPARISON OF ANALYTICAL AND SIMULATION RESULT FOR DOUBLE-COPY TRANSMISSION

Finite Buffer with Pair Finite Buffer with Two Finite BufferTransmission Consecutive Good Packets with Random

p~~~~~~~~~~~~~~~~~~~~~~~~~~~Packet Delete

Np Np Np Np Np Np Np(Simulation) (Analytical) (Simulation) (Analytical) (Simulation) (Analytical) (Simulation)

0.1 2.2228 2.2222 2.4704 2.4691 2.3443 2.3457 2.2847

0.01 2.0204 2.0202 2.0406 2.0406 2.0303 2.0304 2.0253

0.001 2.0020 2.0020 2.0040 2.0040 2.0031 2.0030 2.0024

0.0001 2.0002 2.0002 2.0004 2.0004 2.0003 2.0003 2.0003

0.00001 2.0000 2.0000 2.0000 2.0000 2.0000 2.0000 2.0000

Two-copy Transmission The RSU will have huge demand in Auto industry in the1 ~~~~~~~~~~~~~nearfuture. If it could be implemented successfully, it will

save both AC and consumers' time and money.

REFERENCES

InFinite bufferwithpairtransmission [1] Syed Masud Mahmud, Shobhit Shanker and rina Hossain, "SecureI 1 Finite buffer with consecutive good packe s Software Upload in an Intelligent Vehicle via WirelessA- -Finite buffer with random packet delete Communication Links," in Proc. of the 2005 IEEE Intelligent

a) Vehicles Symposium, June 6-8, 2005, Las Vegas, Nevada, USA,0 pp. 587-592.

[2] http://www.onstar.como [3] Syed Masud Mahmud and Shobhit Shanker, "An In-Vehicle

Secure Wireless Personal Area Network (SWPAN)," in the IEEEi- XTransactions on Vehicular Technology, Vol. 55, No. 3, pp. 1051-

1061, May 2006.+o [4] Tom Karygiannis and Les Owens, "Wireless Network Security

802.11, Bluetooth and Handheld Devices," NIST SpecialPublication 800-48, U.S. Department of Commerce, TechnologyAdministration, and National Institute of Standards and

1 O lll Technology. http://csrc.nist.gov/publications/nistpubs/800-10-6 10-5 i G0410-3 1o-2 1o-1 1&9 48/NIST_SP_800-48.pdf

Packet error Probability (p) [5] C. Y. Yeun and T. Famham, "Secure Software Download forFig. 6. Average number of packet transmission (Np) for successful Programmable Mobile User Equipment," in Proc. of 3rd

upload of a single packet for Two-copy software upload Technique Generation Conference on 3G Mobile CommunicationTechnologies, 8-10 May, 2002, pp. 505-510.

V. CONCLUSION [6] Wael Adi, Ali Al-Qayedi, Khaled Negm, Ali Mabrouk and SarhanM. Musa, "Secured Mobile Device Software Update over IP

The paper presents detail architecture of RSU in an Network," in Proc. of IEEE SoutheastCon, 26-29 March, 2004,advanced vehicle's software modules using an existing pp. 271-274.wireless communication technology such as Wi-Fi orcellular. In this architecture, the BSs act as proxies toreliably and honestly relaying the software packets fromthe SV to the vehicle. Since they do not have access to thesoftware packets, it eliminates any security threat thatmight exist if the BSs locally decrypt and encrypt thepackets. The architecture provides mutual authenticationof the SV and the vehicle. A vehicle's authentication keysare shared between the AC and the vehicle, and Differentauthentication keys are used for different softwaredistribution sessions which prevent known-key attack. Wesuggest the SV to send two copies of the software to thevehicle to increase the level of security. Moreover, digital

signature of the SV ensures non-repudiation and the MDof the entire software provides integrity of the software.

This paper focuses on the software upload in a singlevehicle. However, if the AC needs to upload software to alarge number of vehicles, then wireless multicasting wouldbe a better solution than multiple unicasting to individualvehicles.

1015